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SERVICES WRITE-UPS 


re 
Mikhati vyatskovaka tis and MS 


MOTIVATION 


“The main goal of RUCTFE is to share experience 


and knowledge in the computer security and to 


have some fun together.” 


— RuCTFE Rules 


RULES 


e Each team has an image 
٠ There are some services on this image 
٠ There are some vulnerabilities 


٠ Hack ет all! 


Maxim Muzafarov ака т messiah 


MINISTRY OF LOVE 


ABOUT SERVICE 


e Python 
٠ Tornado web server 
٠ Momoko 


e WebSockets 


WATCH CRIMES 


< Ministry of Love © 


2ZNUMF3OGWO9N: BATTERY НҮ 561334: ROBBERY YFS680RC8L13: BATTERY 


MM/Gonnyinzeik 2015-06-17 MZ/Menuca 2015- 


= 


VE/Pozo Claro 2015-06-21 = 


HY247738: CRIMINAL DAMAGE HY274492: THEFT IX5PTTZ4EOOG: ASSAULT 
lO/Wirawar 2015-05-05 RU/Novyye Gorby 2015-05-25 BR/Sitio Jose D, Zignani 2015- 
08-12 5 
011147ZBE8BW: OTHER OFFENSE HY282374: MOTOR VEHICLE THEFT 


nabhara Ki Dhani 2015- IE/Conaghra 2015-05-31 


REPORT A CRIME 


>SAl 


Cancel 


Report crime 


HIC 


& In process 
& Public 


Send 


AUTHENTICATE 


— Ministry of Love © 


Pearl Bradley Isaac Butler Annette Harris 


Matthew Rhodes Jackie Armstrong Gladys Hayes 


Arianna Caldwell Jacqueline Schmidt 


HACK IT! 


SQL INJECTION 


@authorized 
@gen.coroutine 
def show_crimes(self, message): 
offset = message['params']['offset'] * 10 
try: 
cursor = yield self.application.db.execute( 


“select crimeid, name, article, city, 
“country, crimedate, public " 
"FROM crimes ORDER BY crimeid " 
"DESC limit 10 offset %s" % (offset, ) 
) 


db result = cursor.fetchall() 


SQL INJECTION 


cursor = yield self.application.db.execute( 


“select crimeid, name, article, city, 
"country, crimedate, public " 
"FROM crimes ORDER BY crimeid " 


"DESC limit 10 offset %s" % (offset,) 
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PROFILE SPOOFING 


yield self.application.db.execute( 
“INSERT INTO users(uid, username, password, role, profile)" 
"VALUES (%(uid)s, %(username)s, " 
"%(password)s, %(role)s, %(profile)s)", 
user 


Bind profile 
without authentication 


PROFILE SPOOFING 


Profile ids are visible 


in open crimes 


fa 


Brett Palmer 


23ddd8d8-16be-4f04-9bd1-6fb22c67100b 


Audits 


data-uid 


data-uid 


data-uid 


data-uid 


HY361334 ROBBERY 


City  MZ/Menuca 

Date J 
Description 
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Closed 
Participants 


Elements | Network 
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a onclick 
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SAME DATABASE 


e Each team has similar database 


e Each team has all authentication data 


“BACKDOOR” 


user['role'] = len(user['username']) > 3 


_ sploit 


bit.ly/ructfe_ mol 


MINISTRY OF TAXES 


Pavel Blinov aka pahaz 


ABOUT SERVICE 


٠ Node.js 
e Koa web framework 


٠ Custom router 


ADD PERSONAL DATA 


Profile 


Thou Very Personal Profile 


Save 


UPLOAD REPORT 


Upload your tax declaration 


Select your personal data and upload tax declaration 


Go to the profile page to fill in personal data 


Thou Very Personal Profile 


Choose Files | Thou Report xml 


Upload 


UPLOAD REPORT 


OK, we uploaded your file! 


Click here to download just uploaded declaration 


| Thou Very Personal Profile: Very Secret Data 


HACK IT! 


WEAK ID GENERATION 


var _id = md5(seconds()); 


So nat‘ 


WEAK ID GENERATION 


var pdata = yield db.pdata.findone(4' id': kwargs['pdata'])); 


UPLOAD.IS 


YUNO CHECK USER 


REMOTE CODE EXECUTION 


} else if (regex.test(name)) { 
try { 
console.log("try ./" + name.replace('.', '/')); 
require("./" + name.replace('.', '/')); 


CODE EXECUTION‏ וא 


require(”./” replace('.', '/')); 


x sploit 
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bit.ly/ructfe 
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ELECTIONS FOR E-DEMOCRACY 


Konstantin Plotnikov aka kost 


ABOUT SERVICE 


e СЯ + Mono 


e Homomorphic encryption 


ELECTIONS 


< Electro 


Electro 


Start election 


Find election 


Existing elections 


Election SDWsnWx! 


N 


mir till: 2015 2 


Winner: Nigel_Brooks_431481529 


Nominate till: 2015-11-24 25 
Vote till: 2015-11-24T20:09:35 


Winner: Albert_Bailey_178921210 


Nominate till: 2015-11-24T20:09:22 
Vote till: 2015-11-24T20:17:22 


NOMINATE 


Electro 


Election_gvM9CTqvpYfa 


Nominate 


Candidates 


Leonard_Sımmons_1000762633 


Votes 


No votes here by now 


VOTE 


< Electro 


Electro 


Election gvM9CTgvpYfg 


Candidates 


Leonard Simmons 1000762633 


Indra Harris 26877691 


Votes 


GET ELECTED 


Electro 


Electro 


Election gvM9CTgvpYfg 


Candidates 


Leonard Simmons. 1000762633 ₪ 


H608VTAUSANOEH3W81 J7C9LOUZVMMQA- 


C6YVXM9ORFG8PWS 18JSCJJ3WG1NXNL1= 


HACK IT! 


UNFILTERED INPUT 


٠ Client-side vote generation & encryption 
e Vote — vector of integers 


e Election result — sum of votes 


UNFILTERED INPUT 


encrypt: function(vote vector, public key) 


var self = this; 


return $.map(vote vector, function(vot 
return self.encrypt bit(vote eleme 
}); 

}> 


break & hack 


UNFILTERED INPUT 


٠ Calculations are made modulo 243 
٠ Overflow competitor's value 


• Let the battle begins! 


WEAK PRIVATE KEY GENERATOR 


٠ Calculations are made modulo 243 = 3° 
٠ Private key — random number 
٠ Chance of them being non-coprime 


٠ 3 divides private key > can decrypt 


WEAK PRIVATE KEY GENERATOR 


Electro 
Election_D9s1bIMm92sIpi 


Candidates 
E Agnes Tucker 465596423 EN 
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Votes 


WEAK PRIVATE KEY GENERATOR 


WEAK PRIVATE KEY GENERATOR 


>>> for row in numbers: 
print("".join([ str(num % 3) for num in row [(( 


000000000100000000000 
010000000000000000000 
000000000000000000100 


NASA RASA 


Andrey Gein aka andgein 


ABOUT SERVICE 


« РНР 
٠ MySQL 


REPORT A PLANET 


Let us know about unknown planet 


Declination (from -90 to 90 degrees) 


Hour angle (from -12 to 12 degrees) 
Brightness (from 0 to 100) 


Size (from 0 to 100) 


BROWSE DISCOVERED PLANETS 


> NASA RASA 


denrees 


Hour angle: 7 degrees 
Brightness: 85% 

Size: 24% 

Color: Dark Blue 


Message visible only for you 


Thy Very Secret Information 


BROWSE USERS 


NASA RASA 


Last registered users 


2. Laquita Dambrosio 


A nitro Darcan 
mill DOI SON 


a ل‎ 
ее BrOadWw ay 


6. Efren Antronica 


rancis Congleton 
8. Lamar Gowens 

9. Aida Stewarts 
10. Rolande Arg 


uelles 


HACK IT! 


HARDCODED DB CREDENTIALS 


Remember about RCE? 
Е | 


' ITOLD.YOU SO 


PADSPACE COLLATION 


CREATE TABLE test ) name varchar(10)); 
INSERT INTO test VALUES (а), (‘a '); 
SELECT COUNT(*) FROM test WHERE name = 'a'; 


bit.ly/ructfe collations 


HEALTH MONITOR 


Polina Zonova aka Klyaksa 


ABOUT SERVICE 


° GO 
٠ SQLite 


REPORT YOUR HEALTH 


< Health Monitor 


How are you today? Write us your health indices and 
keep an eye on your progress! 


feel great! But that's a secret, shhh 


BROWSE YOUR PROGRESS 


Here are metrics you've added 


Weight Blood Pressure Pulse Walking Distance Comment 


80 120 80 10356 | feel great! But that's a secret, shhh 


HACK IT! 


AUTHENTICATION 


auth := mdShash(Key, uid) 

id := encodeBase64(uid) 

authCookie = http.Cookie{Name : "auth", Value 
idCookie = http.Cookie{Name : "id", Value: ic 


HARDCODED SALT 


const Key string = "fllecd5521ddf2614e17e4fb074a86da" 


Plan: 

1. Set up vulnbox 

2. Change all passwords & keys 
3. Win 


LENGTH EXTENSION ATTACK 


٠ uids are serial — we can guess 


e Over 9k tools to perform MD5 LEA 


INTERPLANETARY MIGRATION AUTHORITY 


Dmitry Titarenko aka dscheg 


ABOUT SERVICE 


• Nim 


٠ Redis 


KNOW CITIZENS 


>- Mig 


Welcome to the website of Interplanetary Migration Authority. If you wa 
resident of planet Turio, you need to register first. If you already register 
MultiPass 


Many people choose planet Turio as their home. Here are some of them 


13:53:41 6 
13:51:41 (><) 
49:41 прага! 
ן|74)‎ 3 
134541 (^-о-^)/"а 
43:41 8 
4 (=V = 


FILL MIGRATION 


>- Mig 


FORM... 


‚..ВОТ NOT QUITE 


HOME 


We need to check that your motives are pure and right from your heart. Generate some thought 


from your mind. To verify that you think like us, we ask you to fill the mental sign field using our 
thought 


be575199f7cb2572a8eb407e 


HACK IT! 


HARDCODED DB CREDENTIALS 


And again 
[Р 


'ITOLD,YOU SO 


HMAC USING EXTERNAL LIBRARY 
proc rhash sha3(bits: int = 5083 256 hash size * 8, dataEstring> 


cstring type 


The cstring type represents a pointer to a zero-terminated char array 


zero-padded user 
has the same HMAC 


HMAC USING EXTERNAL LIBRARY 


* Login as one of citizens 


* Steal flag from the filled form 


MODIFYING LOCAL DATA 


e Form data stored on client side 


e Form data is encrypted 
٠ AES encryption in CBC mode 
٠ No integrity checks 


MODIFYING LOCAL DATA 


٠ We know plaintext - JSON with filled data 
let newCipherBlock = prevCipherBlock 


xor oldPlainBlock xor newPlainBlock 


* We сап modify ciphertext 


MODIFYING LOCAL DATA 


SAY NO CRYPTO ONE MORE TIME" 
| Bar’: тиа 

1 % А „Зи i к N 

Sis х 


4 


MITM 


“Оп step 3 we need to sign up a random value 


٠ Only checker has the private key 
٠ Lets hack value generation function 


٠ Check will sign everything for us 


bit.ly/ructfe mig sploit 


Alexander Bersenev aka bay 


THE BANK 
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ett v ' 


ABOUT SERVICE 


де: 
e Mongoose 


٠ Custom dictionary 


CREATE ACCOUNTS 


/ en | Your bank accounts (Thee) 
| | С : / | | Account Balance 
Rs 5 у 4 | Thy Very First Account 1005002 2 


Add money to the account (this is free and always will be): 


Thy Second Account 42 Add 


TRANSFER MONEY 


Transfer money 


From 


Thy Second Account 


ny Very First Account 


Amount 


Close Execute 


HACK IT! 


ACCESS LOGS 


bank.teamX.e.ructf.org/access.log 


/account.cgi?login-Queevmos4Wukalom*Ghaessess HTTP/1.1" 200 5878 "-" "Python-urllib/3.2" 
/account.cgi?login=Niarine+Baomild+Sweentad HTTP/1.1" 200 3871 "-" "Python-urllib/3.2" 
/add_money.cgi?amount=41225&login=Niarine+Baomild+Sweentad&account=8EV3ZORH9WEH3DRKIAFUZY2MYL59121%3D HI 


/account.cgi?login=Niarine+Baomild+Sweentad НТТР/1.1" 200 5880 "-" "Python-urllib/3.2" 
/account.cgi?login=Ustshywar+Panndan+Noisque НТТР/1.1" 200 5882 "-" "Python-urllib/3.2" 
/account.cgi?login=Kirayem+Daildsul+Hadyner НТТР/1.1" 200 3871 "-" "Python-urllib/3.2" 

/add money.cgi?amount-^^^^^^"--^- המו ורי‎ ypfiqycount=The+maintaccount+of+thouselt HTTP/1.1 
/account.cgi?login-Kir 1 "-" "Python-urllib/3.2" 
/account.cgi?login-Rot! 0 3881 "-" "Python-urllib/3.2" 


st&account=The+main+account+of+thouself HTI 
0 5886 "-" "Python-urllib/3.2" 
er&account=The+main+account+of+thouself&acc 


/add money.cgi?amount= 
/account.cgi?login=Rot 
/transfer money.cgi?a 


0 5886 "-" "Python-urllib/3.2" 
875 "-" "Python-urllib/3.2" 
MN account<ORBA99Y5SVDBY4RD72G7PT130N91MLI%3D 


/account.cgi?login=Rot 
/account.cgi?login-Blu 
/add money.cgi?amount- 


"GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 


"GET 
"GET 
"GET 


© D bankzn.e.ructf.org/access.log 
57111011-01-1117 5.2 
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+0000] 
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+0000] 


+0000] 
+0000] 
+0000] 
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:08 
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:09 
:08 
:08 
:08 
:08 
:08 
:08 
:08 


:08 
:08 
:08 


56 
56 


.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 


€ 


84.201 
84.201 
84.201 
84.201 
84.201 
84.201 
84.201 
84.201 
84.201 
84.201 
84.201 
84.201 


"Python-urllib/3.2" 


.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 
.188.132 - - [24/Nov/2015:17: 


84.201 
84.201 
84.201 


DICTIONARY 


— 


AKB 448 KB a 


Nat 


Binary Search Tree Independent Code 


DICTIONARY 


“Кеуіп BST — SHA256 from key in dict 
٠ Value — amount of money (8 bytes) 


* BST stored in array 
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RECOMMENDATIONS 


٠ Always change keys and passwords 
٠ Learn Linux administration 


* Stay positive & have fun! 


Thanks! 


Authority 


Ministry of Love Interplanetary Migration 


Nasa Rasa 


Сервисы 


Bank 


Tax 


Electro 


Health Monitor 


Сервисы 


